Accused Pentagon hacker Gary McKinnon appeared on a hackers' panel at the Infosec show on Thursday. McKinnon is continuing to fight against extradition to the US on hacking offences after losing an appeal last month. Only the Law Lords now stand between the Scot and a US trial for allegedly breaking into and damaging 97 US …
About costs ...
"You wouldn't pay that much for a machine at PC world," he said.
Ah, but the military doesn't buy at PC World. They buy from contractors, so a $1500 PC-World machine costs $2500, with an added bonus that only a contractor technician can maintain it, at the addition of another $2500 or so.
I agree with him that the cost figures are high-balled, though. Even allowing for the contractors' profits.
More on costs
Sure the machines are expensive, but it's the security auditing and/or rebuilding of each compromised box that makes up the quite reasonable $5k estimate. I think the issue here shouldn't be the government's real cost, but whether McKinnon can reasonably be held responsible for that cost. If the breaches were really as easy as McKinnon says, DoD and NASA should be footing the bill themselves, and tacking on another charge for setting up the password auditor they neglected to implement in the first place.
Since when does hacking into a computer result in rendering it worthless? It's not as if he physically blew every single military computer into smithereens. The only actual 'cost' I can imagine resulting from his actions is patching the security holes that they had; which they can hardly argue should be charged to him.
I don't think the hardware cost is relevant
I think they're going to say the cost of wiping the workstation, re-installing the OS and software, and the retrieval of data (if it can be retrieved) amounts to $5000 per machine.
Is that fair or correct? I couldn't say, probably not. But the guy that mentioned the cost government pays for computers is bang on.
And that extends to any work done by contractors, who will charge $100s per hour, with minimum costs per machine just to restore a ghost image. Funny how we complain about government wasting tax dollars, and yet we're quite willing to acknowledge and forgive the role played by everyone that does business with them.
Lost data? There shouldn't be any. Any work related data should be stored on servers and servers should be backed up.
If it wasn't they have significantly larger problems than hackers poking around looking for hidden proof of UFOs.
And speaking of that, how is it their systems are so vulnerable to destruction in the first place?
This case has always been about making this guy a scapegoat for the lack of security and complete mismanagement of government IT. That's not pointing the finger at techs and admins working for government, its pointing the finger at those that say, naw, we need to fill the wallets of cronies; all that security, standardisation, upgrading and maintenance is just wasting the tax dollars of the working American.
If only $1,500 machine would cost $2,500 - more likley $25,000 for "secure" "compliant" terminal. shower heads cost the gov. £1,000 and "renting" plants costs £250,000 and then they tell us that the taxes are needed for schools and hospitals... yes, read - kickbacks.
Costs, and more
While the average PC might cost $1500 and given the military's extravagance, a bit more, one forgets the cost of the data that resides on the PC. Everyone should do an assessment of the cost of re-creating the data that resides on our PCs. Even at "cheap" labor rates, it can be quite a bit. Most of the time MORE than the hardware cost (even with the bloated software that comes pre-installed).
But what did he damage?
Now, if the US government were sensible they'd make hacking into a military computer network punishable by a year by itself and we wouldn't be debating this, however the figure of $5000 damage per computer is clearly made up to make it legal to extradite him. Even if they did pay that much per computer, they still have the computers.
To do $700,000 in damage means it costs $700,000 to undo the damage he did. However, the only damage he did was to expose those members of staff who weren't doing their jobs properly.
It is a shame that to make this a crime they had to invent such an unrealistic damage claim, but it is caused by blind spots in American law. Sorry, but that's it.
He was poking around for UFO info. So it was malicious - thus what damage was done? Presumably none other than the sysadmins auditing their machines and firewalls like they should be doing as part of their job description.
The cost here is bad PR for the US Government. They lost the PR so a few $$$$$k will make up for it.
Pathetic - the U.S Government should be ashamed of themselves.
A workable defense might be simply to require that the prosecution produce in court bills for the total amount charged, then dispute each charge that could not be proven to be for repairing damage from a single attack.
After five years, these records might be extremely difficult to come by. This would cause the worst-case charge to suddenly deflate. At every step the quality of the paper trail could be questioned, causing charges to rapidly fall away. The "shadow of doubt" standard for evidence in a criminal proceeding is extremely high.
At the same time, the defense could be trying the case in the US media, always sympathetic to an underdog if he's white, male, and nominally christian. It could end up being an expensive bloody mess for an administration who doesn't need *another* fiasco right now. In fact, if it could happen during an election year, maybe the defense could get campaign contributions, or perhaps a pardon from the next president.
Did he find evidence about UFO?
Did he find evidence about UFO, at least?
They will ask him to pay a lot of money and spend some years in a jail OR he has to work with the government to secure their computer systems..... well, this story looks familiar.
Actually there's a bigger question to answer here
Is storing the personal data of extra terrestrials indefinitely on government computers even legal in the US?
Did he find UFO data?
No, obviously he was looking on the wrong computers. Military computers hold the telepathic mind weapon data, clearly for data regarding UFOs he needed to be on the NSA and FBI's network.
As for NASA - that was complete waste of time. Everyone knows NASA need every square inch of hard disk space it owns just to store all those really cool Hubble photos. They always delete the ones with aliens obscuring the pretty nebulae and star clusters - I thought everyone knew that.
And rumours that Bush suggested replacing Hubble with a Kodak Easyshare digital camera are completely without merit.
Cost to reclone a slew of machines...
Hmmm... "over $700,000" in damage on 97 systems... over $7200 per system? What?!?
Does the governement put a server, an IBM M Pro engineering workstation or high end laptop on every desk? Did the hack "destroy" the machines making them unusable or unable to be recloned? Could a hack cause them to lose software licences? Does the military pay $500+ per hour for IT grunt work?
I suspect the answers to all these questions is a resounding "NO!"
Did the hack compromise the OS install? Maybe. But all he said he did was look for default passwords... so this suggests to me that the problem is that they didn't rename the Administrator account or give it a decent password.
Whose fault is that? (cue in a picture of some really embarrassed military IT staff)
So to fix this... clone a system, modify it by renaming the admin account and giving it a real password, recreate image. That should not take more than 2 hours. 2 hours * $100/hr = $200 - per PC model. They probably have a few different common models, so maybe a couple of thousand in total. Then to recloning the whole lot should not take more than 1 hour per system.... or in other words, $100 per system, not $5000 per system, and definitely not the $7200+ per system that the "$700,000 in damage" works out to.
So in my view, the REAL cost of the "damage" is more like $15,000 to $20,000 worth of labour and some bruised egos.
And if they are paying more than $100 an hour just to do system recloning gruntwork, they had better not publicize it or they will make themselves look like idiots.
The only way that $700,000 of "damage" could have been done is if his hack had rendered systems unusable, causing lost productivity.
But to do this, you have to quantify what could have been "produced" if systems had not gone down (and this is where we can start making jokes about government/military "productivity")
But this is probably moot because by the sounds of it, this guy caused no such down time.
Costs are always absolute rubbish!
Lets be realistic. Generally the people that fix penetrations are ALREADY employed and paid for by the injured party.
There are relatively little costs compared to the numbers from the air system that these paranoid American entities quote.
We were hit by the I love you virus in the dim and distant past. What was the cost hit on us? Truthfully, nigh on nothing. Frustration and excitement among the staff was the only real hit.
We must stop allowing these bullshitting companies quoting ridiculous inflated claims. It sickens me.
Lock down your pathetic systems, have you not learned yet. Also please quit your sensationalistic retoric, it's getting boring.
It's all down to Bliar and friends
Thanks to our submissive approach there is no requirement for the US to provide any evidence of wrongdoing to initiate extradiction from here. The figure generated is for the US itself to pass the requirement for requesting extradition, not us.
The stranger thing about it is that if the chap was a real terrorist threat then the UK government would probably fight the extradition request on some human rights grounds.
What Mr Bliar doesn't realise is that most of the US citizens hold him in as much contempt as we do.
I was there yesterday at Infosec when they were discussing it and another person on the panel bought up a very valid point. Namely that IT is very stange in that people seem to think they can claim for the investigatory process as well as actual damage caused. As far as I am aware Gary was poking his nose in but he did not sell secrets to other states or cause malicious damage... if there is no damage how can you claim damages???? I would have to say the culpable party in my view are those techies that did not change the default passwords. Another point that was raised was that only 4% of penetration tests (I believe these were against US government networks) were picked up and only 1% actually did something about it - now that seems slightly crazy to me!
Cost == Extradition Amount
It's no surprise that the stated cost per system bears no relevance to the true cost of scanning/repairing/reinstalling it, as I'm sure I read a while ago that the cost they came up with just *happens* to coincide nicely with the minimum damage that must be claimed in order to justify extradition.
How can our government / law-lords not smell something rotten in this cost claim when viewed in this light?
Can someone confirm/refute my dodgy memory on this?
Cost == Extradition (2)
Ah, now I've re-read the third paragraph, isn't this exactly what the author of this article is trying to say? I think maybe the other commenters didn't pick up on this subtle implication...
Can a treaty be one sided?
I say put him in prison in this country (if found guilty, obviously) and put a hold on this ridiculous extradition treaty until the US signs up as well. Does anybody here believe they ever had any intention of allowing a US citizen to stand trial here?
Is there an ePetiton we call all sign?
Forget the cost - what about the security?
The real issue here is not how much - which appears to be a red herring to get everyone off the main point - but how is it that yet another part-time code fiddler has got past the security of the Mightiest Nation on Earth(tm).
They bleat on about national and international security and send the troops in but can't run proper simulation games on their own defences.
They should be carting their own contractors off to a private beach in Cuba as a threat to National Security(tm). They must have deliberately left holes so other could get in, so they are either in the pay of the Russkies or Al-whatshisname.
Unless 'Gary McKinnon' is a false name and he's been on holiday to Afghanistan recently he should be paid handsomely by the U.S. for his consultancy work.
Once again, the real terrorists have U.S. passports ;-)
Per computer charges are not to replace the hardware - every computer cracked requires investigation. As I understand it, this work is usually given to external contractors, as the US gov IT staff is generally already booked solid through the next decade - and most of them probably wouldn't be up to it.
Even if the investigations were performed by people already on the payroll, time spent on the investigations is time not spent on other, more productive work. Because of this, the cost of the emplyees' time cannot legitimately be 'discounted'.
I know just enough about what goes on in these situations to suspect that, in fact, the cost per computer is inaccurate - it's lowballed. Realize that not only are they looking to find out how he got in and patch that, but they're also looking to see if he used the system to jump to any other systems. As such, every system that talked to the cracked system from the time the attack started until the cracked system was isolated from the network needs to be reviewed as well.
Just to touch on the example of the 'I love you' virus mentioned above - the impact of that bug varied greatly between companies. In the company where I was working at the time, the virus was blocked after it was in the wild about two hours; it infected several hundred systems, cluttered the mailbox of around 10,000 more, and cost approximately 200 man hours of contract labor to block and clean up. (Yes, it was less than a man hour to clean each system - but the contractor had to walk to each system to clean it - and locating the system wasn't always trivial, as sometimes people had moved machines without updating the systems registry.) One of my friends, however, had a decidedly different experience - it wasn't blocked the first day, it overloaded the company mailserver, and they effectively had no email for a week. Approximately 300 man hours (in a company of 250 employees) were spent attempting to use the email system without success before it was declared dead. Around 200 additional man hours were spent fixing the mail server, and around 50 man hours spent cleaning or re-imaging machines. Even if you assume that email is an unnecessary luxury (they certainly found it was not a luxury), that's 550 man hours (13 man weeks) of wasted time.
Of course, if the cracks were due to default passwords... I've heard that passing security clearances is far more important to the military's hiring process than competency. I have certainly met some very capable and competent people who work for the military - but their stories of coworker incompetence usually beat mine. This isn't meant to excuse, but to explain. Various branches of the US government and military are reputed to have state-of-the-art systems and incredibly brilliant people running them - and they do. However, they also have the inverse situation as well.
Why is NASA in that list?
NASA is a private company and unless things have changed the others are government operations. Shouldn't NASA seek it's own damages if he is found guilty?
He should be rewarded, not punished!
I'm glad it was Gary McKinnon who did this - he's done no more harm than simply pulling at a door that was unlocked in the first place. The US authorities should be thankful it wasn't a malicious hack, and should be offering him a high paying job to work with them to patch up their current holes rather than threatening him with jail time!
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft refuses to nip 'Windows 9' unzip lip slip
- Netflix swallows yet another bitter pill, inks peering deal with TWC
- Special Report Roll up for El Reg's 3G/4G MONOPOLY DATA PUB CRAWL